On May 9, 11:33 am, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> If you can't trust your developers, you're in trouble.
>
> And anything you take out they can easily bypass.

For the third time, I'm not worried about malicious attacks. I don't
care how much I trust my developers... and in this case, I'm also the
developer, so that's a lot of trust... I don't want anyone's passwords
exposed. That said, I'm not trying to make it impossible to retrieve
passwords - all I'm trying to do is make it not automatic. This does
not seem to me like an outlandish request.

I don't even understand why the password is made available in the
first place. It seems that either you're doing the authentication
with PHP code, in which case the password is submitted to PHP as a
form field, or you're doing it in the web server, in which case the
PHP has no need to ever see the password.

Anyway, if you don't know of a way to prevent this behavior, that's
fine, but please stop telling me that it's unreasonable for me to want
to do so.

I'd settle for a way to insert a script that unsets it before any
other PHP is run. I don't suppose there's any way to insert a PHP
script that gets executed ahead of any other PHP code on the site?